On Thu, Nov 18, 2004, Richard Levitte - VMS Whacker wrote: > In message <[EMAIL PROTECTED]> on Thu, 18 Nov 2004 01:45:54 +0100, "Dr. > Stephen Henson" <[EMAIL PROTECTED]> said: > > steve> On Wed, Nov 17, 2004, Richard Levitte - VMS Whacker wrote: > steve> > steve> > However, I don't think this is a proper path to follow. Shouldn't > the > steve> > check if a CA certificate is really a CA certificate be done at all > steve> > times, regardless of the purpose? > steve> > > steve> > steve> At the time this was first done basicConstraints wasn't as > steve> universal as it is now. > steve> > steve> Some certificates used the "Netscape Certificate Type" > steve> extension which has various bits to indicate a CA and a purpose > steve> so the actual check performed depended on the purpose. > steve> > steve> Some applications just limited the path length. > > OK. How likely is it that there might be odd combinations of those? > Should I care? >
Its hard to say how many applications still rely on this. Whatever is done there needs to be a way to override some or all of the checks to handle broken certificates. I can recall one horribly important CA which doesn't include basicConstraints at all but does include keyUsage with keyCertSign: that's is one reason for the current behaviour of ca_check(). I received an email from someone who said that OpenSSL was very popular as a result because it was the only library (other than a proprietary one) that could verify the certificates. There's an X509_STRICT flag which disables most of the workarounds because at least one compliance test > steve> Now I'd say its OK to make the CA check universal. All the > steve> standard purposes do include the CA check anyway. > > OK, that's actually quite easy, I'll have a patch prepared for review > within an hour or so. > Now I've come to think of it there's a one line change in 0.9.8 which will enable the checks for the default case (which is the only of the standard purposes which doesn't include CA checks) while still allowing it to be overridden. I wouldn't advise changing this in 0.9.7. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
